LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-25-2007, 08:34 AM   #1
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
nessus scan - openssl vulnerability


Hi all,

I did a nessus scan on some of my servers today, and I got back this.

Code:
The remote host is using a version of OpenSSL which is
older than 0.9.6m or 0.9.7d

There are several bug in this version of OpenSSL which may allow
an attacker to cause a denial of service against the remote host.

*** Nessus solely relied on the banner of the remote host
*** to issue this warning

Solution : Upgrade to version 0.9.6m (0.9.7d) or newer
Risk factor : High
CVE : CVE-2004-0079, CVE-2004-0081, CVE-2004-0112
BID : 9899
Other references : IAVA:2004-B-0006
I went and did a upgrade to versioin 0.9.8. Now when I run "openssl version", I get this:

OpenSSL 0.9.8e 23 Feb 2007

So after upgrading, I re-ran the nessus scan. And I got back the same result. I imagine this is an apache config problem?

I'm running apache 2.2.4 w/ php5.2.1. openssl is version 0.9.8.

Can anyone give me some direction?
 
Old 02-25-2007, 03:25 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,535

Rep: Reputation: 148Reputation: 148
Check the service it reports a problem with. The thing is that quite many programs link with OpenSSL directly and do not use the version you have installed in your system. You'd need to update the service if that's the case.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Qualys Offers Free Vulnerability Scan Mapped to New Threats ... LXer Syndicated Linux News 0 05-08-2006 03:33 PM
Can someone do a Nessus scan on my IP Address? tangle Linux - Security 1 01-31-2005 02:08 PM
Cant scan with nmap or nessus saltas Linux - Networking 2 09-29-2004 03:34 PM
udp vulnerability (nessus report) wedgeworth Linux - Networking 15 05-13-2004 03:59 PM
WARN: OpenSSL NULL Pointer Assignment vulnerability unSpawn Linux - Security 1 03-18-2004 12:11 PM


All times are GMT -5. The time now is 02:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration